arraymap

Cortex XDR XQL arraymap() function applies a callable function to every element of an array.

Synopsis

arraymap (<
array
>, <
function()
>)

Description

The
arraymap()
function applies a specified function to every element of an array. For functions that require a fieldname, use
"@element"
.

Examples

Extract the MAC address from the
agent_interface_map
field. This example uses the json_extract_scalar, to_json_string, json_extract_array, and arraystring functions to extract the desired information.
dataset = xdr_data | alter mac = arraystring ( arraymap ( json_extract_array (to_json_string(agent_interface_map),"$."), json_extract_scalar ("@element", "$.mac") ), ",")

Recommended For You